Home  |  Sarah  |  Services  |  Blog  Contact

Friday, 31 Jul , 2015

When Business Culture Eats Cybersecurity For Breakfast – Part Two

Share this article

Fatal Fails, Piecemeal Resurrections & The Budget Battleground - Part 2 of a story of budget cuts, blamestorming, breaches and massive bumps in the road to mature security.

A four-part story of budget cuts, blamestorming, breaches and massive bumps in the road to mature security. You can find the other instalments here

Fatal Fails, Piecemeal Resurrections & The Budget Battleground

In the first part of the story I talked about Nick Leeson’s destruction of Barings Bank. I likened the way he concealed growing losses and gambled to try and recoup them, to the way companies accumulate security debts through long term underspend.  Occasionally superficially reduced by splurges on shiny security solutions. Debts multiplied by periodic IT transformation activity. Activity motivated by a market pleasing drive to cut overhead costs. It ended with a prediction of horrific fallout, when all of those factors conspire with external threats to produce one monumental disaster.
20 years ago, both the Kobe earthquake and an audit conspired to end Nick’s billion dollar loss-masking fraud. So very similar to the kind of security events that jar complacent firms awake. Scapegoats are chosen, new brooms are bought and a more careful breed start to build infrastructure and security up from the depths of the recessionary dip. Frequently the causes of the longer-term breach-inviting decent are not recognised, or are ignored.

New brooms and tunnel ‘route to green’ vision

20042442_mlThe new folk in charge are just as keen to establish and retain their creds. They know the half-life of the tenure of a CISO. They benefit from momentum, visibility and budget brought by post-incident audit findings. The one thing that still isn’t in abundant supply – patience. Natural gravitation is towards big ticket fixes. Ones that show a speedy and easily understood ‘route to green’. A route that often creates tunnel vision for board members, risk functions, auditors and regulators. Key performance indicators, defined critical success factors and targets are stretched to creative breaking points.
What’s not generally on the route is careful stock taking and a step by step repair of the cavernous and widespread holes dug in the past. Soon the mirrors reflecting progress are so smoky no-one can see anything resembling a real risk any more. At the same time, in the less reported background, old persistent problems bed in for the long haul. If the improvement work hits a pothole (perhaps one of the older, less sexy issues results in an impactful incident), the security chief gets swapped for a different model, or a new easily marketed fix is tried. That process repeats until a period of relative peace prevails.
It doesn’t last. Perhaps the share price dips, or more merger and acquisition activity looms, leading inexorably to overhead stripping conversations. IT and security are perceived as being in a good place. After all LOTS of money has been spent and the teams sustaining newly bolstered tools and processes are bigger than they’ve ever been…
…and so the wheel turns. Continuing the cycle I began to describe in part one of the story. A wheel on which the backs of many diligent managers and committed operational ‘resources’ have been broken.

Who can apply the brakes?

I have just painted a damning picture of corporate culture and it’s by no means true everywhere. It’s more like a ‘Bottom 10’ of counterproductive behaviours collated from a plethora of conversations over many years. There are firms who establish and responsibly scale security infrastructure and supporting functions. Responding not just to the push and pull of profit and loss, but to the reality of threats and risks that evolve with business growth, diversification and outsourcing. Achieving that is entirely dependent on a top to bottom understanding of how security fits into the wider world of business objectives. People who understand that, communicate it clearly and foster sufficient credibility to get and keep the confidence of business leaders, are rare. Not hens teeth rare, but rare nonetheless.
Folk who can do that in a business locked into the kind of boom/bust cycle described in the story so far, are more like chicken molars. Even if they do get their foot in the door and achieve some good constructive stuff, they’ll be unlikely to weather a serious cost cutting drive, or an incident linked to something they haven’t got round to fixing yet. The fact that risk mitigation is a never-ending journey is beside the point. It’s evidence of failure. Thus both the bad and the good guys (and we all know a number of incredibly hard working and supremely effective security leaders) get locked into political traps. They get forced to behave in a way that chafes on their better judgement, professional integrity and often (when teams really begin to suffer) their personal ethics. In that situation, as many jump as get pushed.

Security strategy vs never-ending whack-a-mole

Security management is not a straightforward job. Credibility of the function can get undermined simply because there’s no breathing space to formulate a useful strategy, meaningful plan and persuasive budget justification. Great achievements can drown in business as usual noise and activity can devolve down to a persistently reactive game of whack-a-mole. There are various management models out there, so what I’ve put below is my basic view of the corner pieces of the security jigsaw. Pieces either missing or squeezed out in many businesses:
Non-operational space to see the threat and risk picture. Match it (in collaboration with the board), to business priorities. Set realistic risk-driven benchmarks beyond legal and regulatory absolutes that reflect business risk tolerance. Define achievable short, medium and long-term goals and research the best options for rational, sustainable mitigation. Then mitigation needs sufficient budget and people to be planned, implemented and run (that latter part can get lost in the budget bunfight). Accumulated risk and performance information should be aggregated. Key findings fed up to strategists, architects and business stakeholders. Not forgetting to model resourcing requirements based on real effort and risk of headcount loss, for operational functions that generate the data while running and updating tools and processes. Then taking the trends and risk hotspots identified and translating that into easily consumable and impactful education for everyone in the business.

The IT vs security budget battleground

There’s tension between all of the above things. Constructive tension and natural challenges that help balance and inform priorities…the same constructive tension that should exist between IT and security, but as things stand that’s illusory. It’s like a tug of war with The Rock on one end and Pee Wee Herman on the other. It’s mainly down to one simple fact: People ‘get’ IT and IT risks better. They produce more measurable impacts (e.g. $x per lost work hour/day) and are more immediately felt by the business. That almost invariably puts security on the back foot (or on it’s arse) in the budget battleground. The source of yet more security debt to add to the stockpile.
That’s why I argue security should not have the same reporting line as IT. The driving forces, while similar, are not the same. The industry-wide understanding of what ‘good’ security looks like, compared to understanding of ‘good’ IT – not the same. The nature and length of the journey from now to sustainably secure vs stabilising IT to cope with future plans – little comparison.
But that’s still just a part of the picture. You need to convince the managers, players, referees and rule makers to change the game. There was a widespread web of tacit approval and silence enabling Leeson’s catastrophe. A web that included auditors and regulators.
If you don’t tackle cultural issues in all lines of defence, plans to repay security debts are unlikely to get off the ground, or if they do, they probably won’t outlast the first bump on the road.

Part One – Wild Speculation & IT Transformation
Part Three – Lines Of Progress-Limiting Defence
Part Four – Chucking Boulders In Our Glass Cybersecurity House

This post is based on my personal opinion and is not intended to reflect the opinions or practices of any past or present employers.

Opinion: Paying to play with our personal data – is it ok?

We’ve migrated from ‘Hot or Not?’ to being held virtually hostage by many of the digital platforms we rely on today. In the midst of that a new processing paradigm has emerged. Myriad startups want to pay to play with your personal data. Can this tackle on-going...

In AI we will blindly trust…

...and the architects, designers, data scientists, and developers will think we are nuts I've been driven back to the blog to talk about one very specific aspect of privacy, data protection and Artificial Intelligence (exchange for Machine Learning or Algorithms as...

Data Protection, Security, and the GDPR: Myths and misconceptions #2

Welcome back! This is a shamefully delayed sequel to my first instalment of security themed GDPR thoughts: Data Protection, Security, and the GDPR: A fraught and fuzzy relationship. Here I look back again over my pre-privacy IT and InfoSec career to spot things likely...

Where and to whom does the GDPR apply?

Yeah, I doubted my sanity going at this one too, but here I am, because working out whether or not the GDPR would apply in different practical and geographical circumstances is proving harder than it really should...for everyone. This regulation has been my almost...

GDPR – You’ve analysed the gaps, but can you close them?

  There is a critical gap for most firms: An inability to interpret and leverage gap analysis, data discovery, and mapping output to actually implement technical data processing change. This article is about the challenges most large firms are facing when trying...

GDPR – The Compliance Conundrum

There is one question related to the General Data Protection Regulation that will arguably cause more ulcers than any other: How much is enough? In some portions of the GDPR 'good' is straightforward. In many others we are asked to respect principles of fairness and...

Opinion: The role of automated data discovery in a GDPR programme

Do you have any online profiles or posts featuring those 4 magic characters: G D P R? If so, whether you are a business decision maker, IT body, security body, charity boss, employed data protection pro, or job seeking data protection pro (less and less likely), you...

When Business Culture Eats Cybersecurity For Breakfast – Part One

A four-part story of budget cuts, blamestorming, breaches and massive bumps in the road to mature security. Wild Speculation & IT Transformation Do you remember Nick Leeson? On February 23rd 1995 he sent a fax telling bosses at Barings Bank he was ill and wanted...

Cyber Insurers Dictating Cybersecurity Standards?

A run down of the key challenges with choosing and using cyber insurance called out in the last few months. It looks entirely possible you will have 'adequate' security dictated by your insurers, so it is your job to understand the risk based yardstick they're using...

There Is No Such Thing As Information Security Risk

Having worked in IT and Information Security for 13 years, I've come to the conclusion that there is no such thing as information security risk. There are just business risks that have one or more security or IT related causes. There is a fundamental and persistent...